This article has an interesting take on why Multisig is in practice less secure than Single Sig with the majority of current hardware wallets. His arguments seem sound, in that once has to trust the machine is uncompromised when setting up multisig, and verifying addresses on the hardware device itself become insecure because the XPUB may be altered and many hw wallets either cannot display their own XPUB or cannot remember other multisig key's XPUB. So there is no way to verify that each generated address is uncompromised, even when viewing on the hw device's screen.
It seems only Bitbox02 currently gets around this potential vulnerability, because it verifies each XPUB for each multisig key upon setup of the multisig address, and remembers the other XPUBs on the hardware device itself.
Would love further discussion on this, as I was considering moving to 2/3 multisig with 3 Trezors.